Saturday, September 27, 2008

If you wonder “What makes secure software different?” you would realize that security is an innate property of the software which was expected to be built in. Unfortunately, most of applications lack security today. The traditional practices used to develop outsourced applications are no more effective. Even the Indian IT services companies lag in improvising their SDLC at the same pace with the global industry. One of the weakest areas where these companies fall is Software Security. Current business environment is fraught with risks. The applications demand tight software security embedded inside to prevent hackers getting in. To incorporate software security measures, enterprises need to change their existing application development lifecycle.

The current scenario is such that many companies to an extent have started addressing security earlier in the lifecycle to mitigate the risks of application security attacks. But, there is still room for improvement. The application security landscape is changing rapidly.

Customers outsourcing applications need to ensure the application development lifecycle of the IT services provider embark software security inline. The IT services companies on the other hand need to develop confidence in the customer for software security levels in their SDLC.

Maintaining a high level of security is no simple proposition. One of the key issues with outsourced applications is that unlike functional concerns, non-functional concerns of application like security and performance are always given lower priority. If the services companies fail to understand the importance of these non-functional factors, the customer is at loss. At the end, if these security defects are injected due to lack of measures taken during SDLC, it may destroy customer value and trust.

Growing Demand of Moving Security Higher in SDLC

Application Security has emerged as a key component in overall enterprise defense strategy. Companies that build a strong line of defense usually learn to think like an attacker. Often is a developer is asked to wear two hats: one as developer that works in complex distributed environments, and the other as a security expert who builds software security. Organizations that understand application security practices and priorities are using resources far more effectively than in years past, while avoiding costly and potentially crippling problems.

In the years past, anti-virus software, firewalls, intrusion detection and intrusion prevention systems have been successful enough to protect network and hosts. While still the bulk of attacks happen at network layer, attackers have been successful compromising the application with lower ratio of making applications as targets. The industry reports of organization suffering application attacks with significant downtime in the application or loss of customer data. Financial institutions, Healthcare providers, Retailers, Telecom Industry or even IT Companies have not been able to get escaped from becoming a victim of application attacks. The impact of these attacks have been damage to their brand name, loss in revenue, loss of customer data, system or network downtime and even legal issues with compliance to PCI (Payment Card Industry) or SOX (Sarbanes-Oxley) standards.

In the current world, software security assurance needs to be addressed holistically and systematically in the same way as quality and safety. Most of the assurance can be driven by improved software development practices. It is also important to realize that the security cost factor increases as you move down the SDLC.

Sunday, September 07, 2008

I have been taking Application Security workshops for the developers, architects and testers for more than 3.5 years now and I thought to share my experience of taking these AppSec Workshops and talking to the folks around in the workshops....

Here are a bit of experiment to share my learning's for everyone's benefit....

1. Requires Art to Involve Developers: While trying to talk to developers and breaking their myths about security, I have realized that the workshop needs a great deal of involvement.

"Tell me and I forget, teach me and I may remember, involve me and I learn" - Benjamin Franklin, is the perfectly apt for these kinda workshops too. Dealing with developers, I had to engage with them to make and help them realize the impact of security in building software. Giving real life examples - and perhaps by excitement, involving them by fun, through relevancy, through problem solving and through emotions.

2. Requires Art that can create excitement: Very often it is important that I need to bring in the momentum by showcasing demonstrations that brings in the excitement and keeps it up. I have realized some pitfalls too. Thinking that people would get excited as soon as they hear about an opinion or about a product, Thinking that the audience would be automatically enthusiatic if I am & Thinking I can create excitement by hitting the audience with "Everything I have got".

I started to engineer "kickers" for my audience. For example, once I said them I am going to show a magic. I have got a magic software in which if you enter your details tells something about your personal life. This created an atmosphere of curiousity & skepticism where people started thinking how can this be and how true it is. Smart people started thinking from where can I can hack their personal information. :) Whatever, but the faces from audience could tell me that all eyes were hitting me constantly, on all my moves and all the words I speak. In reality, I had done some background work for my audience to find their personal information from different people / places / sites that I knew and would be really interesting to them that others knew about it. I leave it to you to guess what all these things can be.. !! But my main aim was to make them think about where have they leaked this sensitive information, how it has been, make them think of a situation that if this data is misused what can happen, and finally for a day I wanted them to think like ATTACKERS ... So yes, the kicker worked both in creating the excitement as well as having them into the workshop with a different attitude. Thereon, I have been always trying to engineer different "kickers" for my workshops and fortunately most of them have been working superbly.

3. Requires Persuasion with stories at times: Story telling reveals meaning without committing the error of defining it. Stories are great persuaders because they create a sympathetic emotional response with an audience. For example, sharing some of my conversations with customers regarding security related defects, sharing the managers capability to overcome all the budget issues and still fix security defects and it used to make a difference. Crunch is if I tell the audience about the most embarassing thing that ever happened to me, every member, on some level, was thinking either about the similar moment is their lives or how they feel if put into my situation. Emotions in the stories were helping me guide the decisions and can be a catalyst in helping the audience gain acceptance quickly.

4. Workshop that persuades with humour: The audience laugh could connect better and could make points memorable. It used to be like pleasant lubricant to the flow of information. More than that, I could feel completely in control when I can hear a wave of laughter coming back at me that I have caused. So this comedy was very controlling. I also prepared savers. Not every joke works !! A piece of self deprecating humour after the joke bombs. The key aspects I learnt while practising in every workshop were, I had to memorize the punch lines, try to localize the humour, deliver key phrases in the setup slowly and clearly, let the people know when the punch line is coming & after the joke bombs, pause & wait for laugh and regain control over the audience. :)

In different workshops, I tried different things. Sometimes adding humour to introduce myself, adding humour to introduce a subject, to reinforce a key point after I had made it, to diffuse anger or hostility at times or to diffuse criticism.

5. The Day that Inspires: I always used to dream that my workshop day should be one where everyone considers leaving their current job and thinks to work with me.... hahaaa...I knew it's not possible. I only wanted them to be inspired by what I can present. Every developer had to be told there is much more than just the functionality of the software and the standard security measures they had been taking. It had to be a presentation that inspires, presents an action, if taken, will connect my audience to something extremely great or meaningful. I used to think that you have to be a gifted genius, a sainted visionary or touched by great spiritual force to inspire the audience, but I was wrong. Slowly I learnt the way to inspire, creating a vision, asking deep in heart - "what does my audience need or want to believe?",looking for greatness in small everyday type software development practices. I knew if the vision sticks, it was time of call to action.

6. Welcoming to the Real Security Perception: Most of my audience would come in carrying a very different perception of what security is, how much security is required and how it can be bolted in. The challenge was to change the perception. If the audience has a negative attitude towards a proposal, it will be hard to win an approval. Every attitude is formed from the initial perceptions that created it. Change those perceptions & you can change the attitude. Change the attitude and a new behaviour can be followed. This is what I did learn while all these workshops. I often redefined their process of evaluating the software security, the attributes, the nice to have features, the must have features, etc.

About Me

He is involved in Application Security Consulting and establishing App Security across SDLC. He also conducts security workshops for the developer community. Besides interest in App Security, he likes Performance Testing and tuning of web applications.